Linux Machines Targeted by BERT Ransomware with Enhanced ELF Exploits

First observed in March 2025 targeting Windows systems, the BERT ransomware group escalated its operations in May 2025 by launching attacks on Linux machines.

Analysis of two Linux-focused ELF samples reveals an 80% codebase overlap with Sodinokibi (Revil) ransomware, a notorious group linked to Russian cybercriminals.

The Linux variants employ sophisticated encryption methods, including AES, RC4 PRGA, Salsa20, and ChaCha20 algorithms, as well as Base64 encoding, to obfuscate payloads.

Unlike its Windows counterpart, which appends unique extensions like “.encryptedbybert3,” the Linux version utilizes AWK commands to query system registries, suggesting a hybrid approach that combines old and new tactics.

Security researchers note that BERT’s Linux exploits are designed for stealth, with timestamps manipulated to future dates (e.g., 2047, 2076) to evade detection.

One sample (MD5: 00fdc504be1788231aa7b7d2d1335893) retained a legitimate May 20, 2025, timestamp, confirming recent activity.

The ransomware’s PowerShell scripts further weaken systems by disabling Windows Defender, firewalls, and User Account Control (UAC) before deploying payloads from a Swedish IP (185.100.157.74) linked to Russian firm Edinaya Set Limited.

Multi-Stage Attacks: PowerShell Scripts and Russian Infrastructure
BERT’s attack chain begins with a malicious PowerShell script (start.ps1) hosted on the same server as its payloads. The script performs three critical actions:

1. Privilege Escalation: Checks for admin rights and re-executes with elevated permissions if denied.
2. Security Disabling: Modifies registry keys to deactivate real-time monitoring, cloud protection, and firewalls; stops critical services like WinDefend and Sense.
3. Payload Delivery: Downloads payload.exe from http://185.100.157.74 and executes it.

The use of Russian infrastructure aligns with historical ransomware trends, where threat actors leverage local providers to blend into “bad traffic.”

The Linux payloads, while borrowing heavily from Revil, introduce novel encryption layers, making decryption nearly impossible without the attackers’ RSA keys.

Global Impact and Mitigation Strategies
BERT has targeted organizations in the U.S., UK, Malaysia, Taiwan, Colombia, and Turkey, with the service and manufacturing sectors most affected.

Victims’ data is leaked on a Tor-based site (wtwdv3ss4d637dka7iafl7737ucykei7pluzc7is3mgo2vl5nmq7eeid.onion) in zipped archives labeled “part1,” “part2,” etc. Negotiations occur via the privacy-focused Sessions app, with ransoms demanded in Bitcoin (e.g., 1.5 BTC for a recent victim).

Key Recommendations for Defense:

• Monitor for registry changes to HKLM\SOFTWARE\Policies\Microsoft\Windows Defender.
• Block traffic to/from 185.100.157.74 and inspect PowerShell scripts for privilege escalation attempts.
• Apply strict access controls on Linux systems, particularly for ELF binaries with irregular timestamps.

The BERT group’s blend of recycled Revil code and custom .NET-based Windows tools underscores the evolving threat of cross-platform ransomware.

As investigations continue, organizations are urged to prioritize patch management and network segmentation to limit lateral movement.

IOCs for Immediate Action

• 71dc9540eb03f2ed4d1b6496b13fe839
• 00fdc504be1788231aa7b7d2d1335893
• d1013bbaa2f151195d563b2b65126fa3
• 3e581aad42a2a9e080a4a676de42f015
• edec051ce461d62fbbd3abf09534b731
• 5cab4fabffeb5903f684c936a90e0b46
• 003291d904b89142bada57a9db732ae7
• Payload Hashes: MD5 00fdc504be1788231aa7b7d2d1335893 (timestomped sample)
• File Names: newcryptor.exe, ESXDSC04_bert11, note.txt (ransom note)

The BERT group’s shift to Linux underscores the critical need for cross-platform threat hunting. With its REvil-inspired code and adaptive infrastructure, organizations must adopt proactive defenses to mitigate this dual-OS threat.